Data Classification Policy¶
| Document Information | |
|---|---|
| Version | {{version}} |
| Effective Date | {{effective_date}} |
| Document Owner | {{document_owner}} |
| Next Review | {{next_review_date}} |
| Approved By | {{approved_by}} |
Purpose¶
The purpose of this policy is to establish guidelines for ensuring the secure operation of {{company_name}}, hereafter referred to as "the company", information systems and networks, protecting the confidentiality, integrity, and availability of our data.
The purpose of this Data Classification Policy is to define categories of data based on their sensitivity and to outline appropriate handling procedures for each category. This is essential to ensuring that all data is protected in accordance with its sensitivity and importance to the company.
The intent of this policy is to establishes the direction and principles for the protection of the {{company_name}}'s data, cyber threats and enable continuous improvement of security capability and resilience to emerging and evolving security threats.
Scope¶
This policy applies to all employees, interns, contractors, and third parties who have access to the company\'s information systems and networks.
Data Classification Categories¶
Data classification is to categorize data based on its sensitivity and importance to the company. This ensures that appropriate security controls can be applied to protect the data from unauthorized access, disclosure, modification, and deletion.
-
Public: This is the lowest level of data classification. Public data can be disclosed to the public without causing harm to the company or individuals. Examples of public data include marketing materials, publicly available reports, and general company information. Public data should still be managed responsibly and in line with regulation to ensure its accuracy, integrity and that it is not misleading.
-
Internal: Internal data is not intended for public disclosure but would not cause significant harm to the company or individuals if disclosed. Examples of internal data include internal memos, meeting minutes, and non-sensitive operational data. Access to internal data should be controlled and limited to those within the company who have a legitimate need to access the data.
-
Confidential: Confidential data could cause harm to the company or individuals if disclosed. Examples of confidential data include customer data, employee data, and financial data. Confidential data should be protected with strong security controls, including access controls, encryption, and secure storage and transmission methods.
-
Highly Confidential: Highly confidential data could cause severe harm to the company or individuals if disclosed. Examples of highly confidential data include trade secrets, sensitive financial data, and personally identifiable information (PII). Highly confidential data requires the highest level of protection and should only be accessed by individuals with a critical need to know. Additional security controls for highly confidential data may include encryption, multi-factor authentication, enhanced auditing and monitoring, and strict data handling procedures.
All users are responsible for classifying their data in accordance with this policy and for handling the data in accordance with its classification. The {{it_provider}} is responsible for providing the necessary tools and training to support data classification and for implementing the security controls required for each data classification category.
Data Handling Procedures¶
Data handling procedures is to provide guidelines for how data should be accessed, stored, transmitted, and disposed of based on its classification category. This ensures that appropriate security controls are applied to protect the data throughout its lifecycle.
-
Public Data Handling Procedures: Public data can be freely shared both within and outside the company. Public data should be stored in locations that are accessible to the public and can be transmitted using standard communication methods.
-
Internal Data Handling Procedures: Internal data should only be accessed by authorized individuals within the company. It should be stored in secure locations that are not accessible to the public. When transmitting internal data, secure communication methods should be used to prevent unauthorized access. When disposing of internal data, standard disposal methods can be used, but care should be taken to prevent unauthorized access during the disposal process.
-
Confidential Data Handling Procedures: Confidential data should only be accessed by authorized individuals who have a legitimate need to access the data. It should be stored in secure locations with strong access controls. When transmitting confidential data, secure communication methods should be used. When disposing of confidential data, secure disposal methods should be used that render the data unrecoverable.
-
Highly Confidential Data Handling Procedures: Highly confidential data should only be accessed by authorized individuals who have a critical need to access the data. It should be stored in highly secure locations with strong access controls and additional security measures, such as encryption. When transmitting highly confidential data, highly secure communication methods should be used, such as end-to-end encryption and secure file transfer protocols. When disposing of highly confidential data, highly secure disposal methods should be used that render the data unrecoverable and verify the successful destruction of the data.
All employees, contractors, and third parties are required to handle data in accordance with this policy. Non-compliance may result in disciplinary action, up to and including termination of employment or contract.
Staff Responsibilities¶
Staff (including interns and contractors) are expected to uphold the expected standards of professional conduct and comply with this policy in its entirety.
All staff must read, understand, and comply with all components of this policy, and all laws, and regulations that apply to their role.
-
Staff should speak up when seeing possible violations of the policies, and legal and regulatory requirements.
-
Be truthful, and cooperate fully in any internal investigations, and not conceal or destroy information.
-
Staff should ensure they complete training on the policies, and attest that they are understand and commit to comply with them.
-
Failing to read or attest to the policies does not excuse staff from these responsibilities.
Review¶
This policy will be reviewed at least annually or as needed based on changes to our business, technology, or regulatory environment.
Enforcement & Waivers¶
These policies are important to us. Violation may result in disciplinary action, up to and including termination of employment. Only by consent of the {{company_name}}'s board of directors a provision of the policies for a staff member may be waivered.
Implementation Check¶
- Who owns this? {{policy_owner}}
- Are we doing it? {{implementation_status}}
- When will we check again? {{next_review_date}}